Model poisoning attacks pose a significant security threat to Federated Learning (FL). Most existing model poisoning attacks rely on collusion, requiring adversarial clients to coordinate by exchanging local benign models and synchronizing the generation of their poisoned updates. However, sustaining such coordination is increasingly impractical in real-world FL deployments, as it effectively requires botnet-like control over many devices. This approach is costly to maintain and highly vulnerable to detection. This context raises a fundamental question: Can model poisoning attacks remain effective without any communication between attackers? To address this challenge, we introduce and formalize the \textbf{non-collusive attack model}, in which all compromised clients share a common adversarial objective but operate independently. Under this model, each attacker generates its malicious update without communicating with other adversaries, accessing other clients' updates, or relying on any knowledge of server-side defenses. To demonstrate the feasibility of this threat model, we propose \textbf{XFED}, the first aggregation-agnostic, non-collusive model poisoning attack. Our empirical evaluation across six benchmark datasets shows that XFED bypasses eight state-of-the-art defenses and outperforms six existing model poisoning attacks. These findings indicate that FL systems are substantially less secure than previously believed and underscore the urgent need for more robust and practical defense mechanisms.

翻译：模型投毒攻击对联邦学习构成重大安全威胁。现有大多数模型投毒攻击依赖共谋，要求对抗性客户端通过交换本地良性模型并同步生成中毒更新来进行协调。然而，在实际联邦学习部署中维持这种协调日益不切实际，因为它实际上需要类似僵尸网络的控制能力来操控多台设备。这种方法维护成本高昂且极易被检测到。这一现状引发了一个根本性问题：在攻击者之间没有任何通信的情况下，模型投毒攻击能否保持有效性？为解决这一挑战，我们引入并形式化了\textbf{非共谋攻击模型}，其中所有被攻陷的客户端共享共同的对抗目标，但独立运行。在此模型下，每个攻击者生成恶意更新时无需与其他对手通信、访问其他客户端更新或依赖任何关于服务端防御的知识。为证明该威胁模型的可行性，我们提出\textbf{XFED}——首个聚合无关的非共谋模型投毒攻击。我们在六个基准数据集上的实证评估表明，XFED能够绕过八种最先进的防御机制，并优于六种现有模型投毒攻击。这些发现表明联邦学习系统的安全性远低于先前认知，且亟需更鲁棒、更实用的防御机制。